bf-manage-web Auth and Permission Model¶
Session and identity loading¶
AuthProvider (src/context/authContext.tsx) calls /auth/users/me via useGetManageUser and stores:
- authenticated user payload
workspace_acl- selected workspace in session/local storage
Primary workspace selectors are stored as:
localStorage.account_idsessionStorage.workspace_id- optional
sessionStorage.depot_id
Request authentication path¶
useAxios (src/hooks/useAxios.ts) request interceptor:
- fetches current Amplify session
- refreshes token if missing or expired
- sets
Authorization: Bearer <token> - sends scope headers (
x-account-id,x-workspace-id,x-depot-id)
flowchart TD
Request[Client request] --> Session[fetch auth session]
Session --> Refresh{Token valid}
Refresh -- No --> ForceRefresh[force refresh token]
Refresh -- Yes --> Headers[attach auth and scope headers]
ForceRefresh --> Headers
Headers --> Send[send axios request]UI permission gating¶
useCheckPermission (src/services/permissions.ts) uses:
- selected workspace role (
workspace.role_name) - static permission matrix in frontend
- admin bypass for
user.is_admin
This powers conditional UI behavior across navigation, pages, and action controls.
flowchart TD
WorkspaceRole[Workspace role name] --> Matrix[Frontend permission matrix]
UserAdmin[User admin flag] --> Bypass{Is admin}
Bypass -- Yes --> Allowed[Allow action in UI]
Bypass -- No --> Matrix
Matrix --> FeatureOp[Feature and operation check]
FeatureOp --> UiDecision[Show or hide action]Route guarding¶
ProtectedRoute currently guards for depot availability and optional SPA auto-reload flag behavior.
It is not the primary authorization enforcement mechanism.
Security posture in web layer¶
- Prevents accidental unavailable actions in UI.
- Does not replace backend authorization checks.
- Always rely on backend for final permission enforcement.